1

I'm trying to filter a specific device from my network. Either MAC or IP address filtering would do the trick, but I have trouble finding the exact Cisco IOS commands to use. My router is a Cisco 870 and the device is connected through wifi (if that makes a difference).

I need a fairly simple setup that I can switch on and off easily. This is for development purposes and I need to simulate connectivity changes to that specific device without bothering anyone else connected to that same router.

ACL seems like a way some people suggest, but I am a noob when it comes to configuring Cisco routers and don't know how exactly to work with them.

Edit:

The commands Kyle mentioned did not work exactly as typed, but when I ran adjusted commands below, it does not appear to work:

ip access-list extended demo
deny ip host 192.168.3.33 any
permit ip any any
exit
interface Vlan 1
ip access-group demo in

Vlan 1 is the virtual interface the device is connected. I also tried running the last line after 

interface Dot11Radio 0

but that did not work either. Router does not give any errors, but the device can still access the network. Tips?

SaltyNuts
  • 275
  • 1
  • 6
  • 12
  • That should disallow any packets from that IP to *traverse* the router, but may not disallow packets that stay on VLAN1. – MikeyB Jul 27 '10 at 17:53
  • But the device can access hosts outside of Vlan 1 after running these commands. Is that supposed to happen? – SaltyNuts Jul 27 '10 at 18:14

3 Answers3

1

Basically you want to block the interface with ACL as you mentioned. The rule of thumb is to block it as close to the source as possible. So you would use something like:

ip access-list extended Wifi-In
   ip deny host 192.168.1.140 any
   ip permit any any

This acl says block anything from passing that has a source ip of 192.168.1.140. For it to work you must apply it to an interface.

You would then apply it to the wireless interface with:

int Wlan0/0
   ip access-group Wifi-In in

My syntax is not exact but that is the basic idea. If you post the relevant parts of the config (might want to Censor any passwords and Public IPs) we might be able to give you a better answer.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • It's kind of hard for me to say what's relevant in my config. The name of the physical wifi interface is Dot11Radio 0, while the virtual interface the device connects to (according to show mac-address-table) is Vlan 1. Anything else that would matter? – SaltyNuts Jul 27 '10 at 17:54
  • 1
    You applied it to the Vlan1 interface (which is layer 3). This means that it will only apply to packets traversing the router. Try the MAC filtering method on your layer 2 interface. – MikeyB Jul 27 '10 at 18:08
  • Oh I see this is all local to the LAN.... – Kyle Brandt Jul 27 '10 at 18:20
  • Mikey, Is Dot11Radio a layer 2 interface? I tried your suggestion but while it creates the access lists just fine, I cannot attach to the interface using the command you have. – SaltyNuts Jul 27 '10 at 18:24
  • Well I think this will work if you make it so it has to go through the router. Basically give the vlan interface some secondary ip like `192.168.15.1/24` and make the client use that, then it will have to through Layer 3. Not sure if that satisfies your needs though. – Kyle Brandt Jul 27 '10 at 19:44
1

If your hardware supports it:

access-list 700 deny 0003.fd1b.8700
access-list 700 permit 0.0.0 ffff.ffff.ffff
int Wlan0/0
   mac access-group 700 in

should do the trick.

MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • Looks like the very last line is not supported. Perhaps there is another way to attach the access-list to the interface? – SaltyNuts Jul 27 '10 at 18:13
  • The exact command varies depending on the hardware - medina found the right combo. – MikeyB Jul 28 '10 at 14:03
1

You might want to see Filters Using MAC-Based ACLs.

Can you provide details about the hardware / software you're running?

Update:

So based on the information you supplied I believe this is the correct answer. From the linked document above:

AP# configure terminal
AP<config># access-list 700 deny 0040.96a5.b5d4 0000.0000.0000

!--- This ACL denies all traffic to and from 
!--- the client with MAC address 0040.96a5.b5d4.

AP<config># interface Dot11Radio0.1


!--- Or whatever the radio interface is

AP<config># dot11 association mac-list 700
medina
  • 1,970
  • 10
  • 7
  • Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4). Hardware is a 871 router. – SaltyNuts Jul 27 '10 at 21:21
  • This appears to work, except for still allowing some existing sessions to continue for a short time after running this command. Thanks. – SaltyNuts Jul 28 '10 at 12:14